Trojan Troubles - help!!

Moved to malware forum.

 

Welcome to Major Geeks!

It appears that you did not install GetRunKey properly. You did install ShowNew okay into its own folder named F:\ShowNew but you did not do the same for GetRunKey. It looks like you ran it directly from the ZIP file. Please install it properly now into either a folder named F:\GetRunKey or you can extract all its files into the same folder as ShowNew.

Please start by uninstalling CounterSpy since we are finished with this trial program now.

Uninstall the below old versions of software we will install current version later:
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Mozilla Firefox (1.5)


Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
khfcc.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
khfcc.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
khfcc.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {3AEBAB3C-F89F-4824-9E41-5D580F14F747} - F:\WINDOWS\system32\edsurgku.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - F:\WINDOWS\system32\bpwandoj.dll (file missing)
O2 - BHO: (no name) - {748B3F92-D090-499A-931C-B753EFDA6644} - F:\WINDOWS\system32\khfcc.dll
O2 - BHO: (no name) - {92A444D2-F945-4dd9-89A1-896A6C2D8D22} - (no file)
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "F:\WINDOWS\system32\vrwogevy.dll",realset
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O20 - Winlogon Notify: khfcc - F:\WINDOWS\system32\khfcc.dll
O20 - Winlogon Notify: urqomkh - urqomkh.dll (file missing)
O23 - Service: DomainService - Unknown owner - F:\WINDOWS\system32\wsgbryrm.exe (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox


Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.




After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

 

No you are not clean yet!

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Did you do what I requested in my last message for properly installing GetRunKey like you did ShowNew? Based on your log from GetRunKey it does not look like it. Also your ShowNew log indicates you do not have a folder for GetRunKey in the root folder of drive F like you created for ShowNew. (i.e, I see F:\ShowNew but not F:\GetRunKey).

Please extract ALL files from the GetRunKey.zip file, but this time please extract ALL of them into the F:\ShowNew folder. Then run the GetRunKey.bat file that is in the F:\ShowNew folder and attach a new log. Also attach a new log from ShowNew.

 

And where was it? And what was the folder named?

It ran properly this time now that it is in the folder with ShowNew. This probably means that you did not have all files extracted from the ZIP file into whatever folder you extracted GetRunKey into previously.

I need to check out your logs now!

 

Strange but I do not see GetRunKey.bat in the F:\ShowNew folder. What files do you see in the F:\ShowNew folder?

 

Hmmmmm! What date do you see on the GetRunKey.bat file that is in the ShowNew folder?

 

Also what is the date on the F:\GetRunKey folder

 

Well the date of the GetRunKey.bat file is correct but it does not make any sense why it is not showing up in the logs. Also the F:\getrunkey folder does not show for some reason.

However there is something strange about how one of the utilities named locate.com is running on your PC. It is not even formatting the output the way it is supposed to be formatted and this could be part of the problem. I'm not sure why this is happening.

Click Start, Run, and enter cmd and click OK. This will open a command prompt window. At the command prompt enter the below and tell me if you get an error message or get output from the locate command. There is a space after the word locate.

locate /?

 

Does it look EXACTLY like this make sure the version number is the same (v1.31)?

Code:

LOCATE.COM   v1.31   2003-12-09   C. Dye   [EMAIL="raster@highfiber.com"]raster@highfiber.com[/EMAIL]
Freeware.  Copyright 1995-2003, Charles Dye.  No warranty!
Syntax:  LOCATE [filespec] [switches]
  /H   Hidden or system        /D-  find files, not Directories
  /X   .COM, .EXE, .BAT        /D+  find Directories only
  /Fn  only First n items      /D   find both (default)
  /A   check Attributes        /T   path search
  /0   0-byte files            /R   local hard drives only
  /G   Go to directory         /K   Kill (delete) items
  /N   bare Naked display      /W   Wide display
  /S   Summary info only       /P   Peter-style display
  /L   Win95 Long filenames    /NP  No Paging
  /B:"command" Batch output    /D:[start][,end]  Date range
  /O:"string"  macro Output    /T:[start][,end]  Time range
  /C:"string"  run Commands    /S:[small][,big]  Size range
Space between the filespec and any switches.  Output will be paged
unless it is redirected or /NP used.  Specify default switches in a
LOCATE= variable.  Try /D? /T? /S? /A? /B? or /O? for more help.

 

Well now this does not make any sense to me at all!

However please note that your logs are clean and I'm just trying to determine why the tools are not working like they do on all other PCs. I appreciate the help in debugging this. It helps us to keep our tools and procedures up to date and allows us to be sure they work for everyone. While they basically working for you, two things are not working properly

1. The GetRunKey folder and also the GetRunKey.bat file do not show in your logs
2. The formatted output from the locate command is incorrect.

From the command prompt Window can you please enter three below commands (there is a space after the word dir )
dir F:\ > F:\flist.txt
dir F:\getrunkey >> F:\flist.txt
dir F:\shownew >> F:\flist.txt

Then attach the F:\flist.txt log here.

 

Okay that looks OK! I wonder if it is related to the time and date format you use. Let me check something on my end.

 

Under Control Panel select Regional and Language Options
In the next Window on the Regional Options tab what Country do you have selected in the box to the left of the Customize button.
If you click the Customize button and then on the next window select the Date tab, what does it say in the box titled Short date format.

 

Thanks for the info. Well it does not seem to be the date format that is causing the 2 problems I mentioned message number 21. The second problem looks like the command is losing one of he arguments I send to it.

From a command prompt window, enter the below command. There is a space after the word locate and also after the *.* and also before and after the > and >>

locate F:\getrunkey\*.* /L > F:\flist.txt
locate F:\shownew\*.* /L >> F:\flist.txt


Please attach this new F:\flist.txt log file to your next message.

I have no idea why the GetRunKey.bat file or the F:\getrunkey folder are not showing in your log from GetRunKey.bat or from ShowNew.bat.

 

Did you delete the F:\getrunkey folder?
And it does appear that for some reason the /L option for the locate command does not work on your PC. I have no idea why but that explains why the output format is wrong.

Are you using a paid version of Avast or the free version?
Give this a run: Windows Installer CleanUp Utility

 

Now that is really strange. Enter the below from a command prompt.
locate F:\*.* /L /NR > F:\flist.txt

Attach the new F:\flist.txt file here.

No those are for printer software.

Try using the below to uninstall it:

Your Uninstaller! 2006

 

Please right click on the F:\getrunkey folder and select rename. Rename it to just GRK. The re-run the same command from message # 31 and attach the new log.

Did you try Your Uninstaller yet?

 

You're welcome. And thanks for doing these experiments. Did you notice that now that the F:\getrunkey folder was renamed to GRK it shows in the flist.txt log. I wonder if some illegal characters had gotten into the folder name. Right click it again and select Rename. Change it back to getrunkey (make sure you do not add any spaces to the folder name). Then again repeat the same command from message # 31 and attach the new log.

 

No I doubt that is the problem, but I also really don't know exactly why this is happening. I also don't know what the locate command does not give the correct format on your PC.

Try naming the folder getrunke
Does it show up?


Download the attached Findit.zip file and then extract the Findit.bat file from the ZIP. Double click on the Findit.bat file. When it finishes, you will have a file named F:\findit.txt Attach this file here. What this batch file does is just look for all files in your Windows folder and subfolder that have the word locate in it.